参考配置文章:
http://skyeywolf.blog.163.com/blog/static/95727236201021194716320/
第一步生成证书:
将下面拷贝到bat文件,执行即可(路径和证书别名可更改)
※ 同时在bat文件同级目录下创建文件prompt.ini并在文件中输入y和回车。
@ECHO off
chcp 936
set CACERTS_ALIAS="server2"
set CLIENT_ALIAS="client2"
set ROOT_PATH="D:\tools\tomcat\keys"
set PASS="changeit"
rem ECHO %ROOT_PATH%
rem tomcat server tomcat.keystore genkey bat
keytool -genkey -v -alias %CACERTS_ALIAS% -keyalg RSA -keystore %ROOT_PATH%\tomcat.keystore -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass %PASS% -keypass %PASS%
rem clinet gencert cient.p12 bat
keytool -genkey -v -alias %CLIENT_ALIAS% -keyalg RSA -storetype PKCS12 -keystore %ROOT_PATH%\client.p12 -dname "CN=client,OU=cn,L=cn,ST=cn,C=cn" -storepass %PASS% -keypass %PASS%
rem gen tomcat cert file tomcat.cer from tomcat.keystore keystore
keytool -export -alias %CACERTS_ALIAS% -keystore %ROOT_PATH%\tomcat.keystore -storepass %PASS% -rfc -file %ROOT_PATH%\tomcat.cer
rem gen client cert file client.cer from client.p12 keystore
keytool -export -alias %CLIENT_ALIAS% -keystore %ROOT_PATH%\client.p12 -storetype PKCS12 -storepass %PASS% -rfc -file %ROOT_PATH%\client.cer
rem import clinet.cer to tomcat.keystore trusted cert
keytool -import -alias %CLIENT_ALIAS% -v -file %ROOT_PATH%\client.cer -keystore %ROOT_PATH%\tomcat.keystore -storepass %PASS% < prompt.ini
rem import tomcat.cer to cacerts trusted cert(client trusted cacerts)
keytool -import -alias %CACERTS_ALIAS% -v -file %ROOT_PATH%\tomcat.cer -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass %PASS% < prompt.ini
rem check if client.cer successfully imported into tomcat.keystore
keytool -list -keystore %ROOT_PATH%\tomcat.keystore -storepass %PASS% > %ROOT_PATH%\tomcat.keystore_list.log
rem check if tomcat.cer successfully imported into client trusted cacerts
keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass %PASS% > %ROOT_PATH%\jdk_cacert_trusted.log
echo successfully
pause
第二步:tomcat配置文件中开启https服务(只需要将conf/server.xml中的如下部分的注释放开,
并添加对应证书文件和密码)
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\tools\tomcat\keys\tomcat.keystore"
keystorePass="changeit"
truststoreFile="D:\tools\tomcat\keys\tomcat.keystore"
truststorePass="changeit"
/>
第三步:重启tomcat,并尝试访问https:localhost:8443
※如果报错 PKIX validate certificate fail的话,就说明是没有把服务器端的证书加到客户端的trust keystore中(一般默认是jre\lib\security\cacerts)
※clientAuth="false" 是否开启双项认证,如果为true,必须验证客户端的证书,
false:客户端不设置证书也可以访问
※生成证书的时候要确认是否使用和tomcat一致的jdk